PHP-Nuke v6.0 allows remote users to send email to any address on the internet by entering malformed email addresses. Patch included.
f324c19dbb506141832f85077a736850e56b7b492f689c7d1dbbcc19a71e156e--- html/mainfile.php.old Thu Dec 19 19:17:10 2002
+++ html/mainfile.php Thu Dec 19 19:24:00 2002
@@ -870,4 +870,13 @@
return($ThemeSel);
}
-?>
\ No newline at end of file
+#
+# Security fix
+# Ulf Harnhammar, VSU Security 2002
+#
+
+function removecrlf($str) {
+ return strtr($str, "\015\012", ' ');
+}
+
+?>
--- html/modules/Feedback/index.php.old Thu Dec 19 19:26:44 2002
+++ html/modules/Feedback/index.php Thu Dec 19 19:28:34 2002
@@ -69,6 +69,8 @@
$send = "no";
}
if ($send != "no") {
+ $sender_name = removecrlf($sender_name); # Security fix
+ $sender_email = removecrlf($sender_email);
$msg = "$sitename\n\n";
$msg .= ""._SENDERNAME.": $sender_name\n";
$msg .= ""._SENDEREMAIL.": $sender_email\n";
@@ -93,4 +95,4 @@
CloseTable();
include("footer.php");
-?>
\ No newline at end of file
+?>
--- html/modules/Journal/friend.php.old Thu Dec 19 21:23:27 2002
+++ html/modules/Journal/friend.php Thu Dec 19 21:25:22 2002
@@ -38,6 +38,11 @@
list ($jtitle) = sql_fetch_row($result, $dbi);
if ($send == 1) {
+ $fname = removecrlf($fname); # Security fix
+ $fmail = removecrlf($fmail);
+ $yname = removecrlf($yname);
+ $ymail = removecrlf($ymail);
+
$subject = ""._INTERESTING." $sitename";
$message = ""._HELLO." $fname:\n\n"._YOURFRIEND." $yname "._CONSIDERED."\n\n\n$jtitle\n"._URL.": $nukeurl/modules.php?name=$module_name&file=display&jid=$jid\n\n\n"._AREMORE."\n\n---\n$sitename\n$nukeurl";
mail($fmail, $subject, $message, "From: \"$yname\" <$ymail>\nX-Mailer: PHP/" . phpversion());
@@ -82,4 +87,4 @@
journalfoot();
-?>
\ No newline at end of file
+?>
--- html/modules/News/friend.php.old Thu Dec 19 20:05:53 2002
+++ html/modules/News/friend.php Thu Dec 19 20:16:24 2002
@@ -50,6 +50,11 @@
function SendStory($sid, $yname, $ymail, $fname, $fmail) {
global $sitename, $nukeurl, $prefix, $dbi, $module_name;
+ $fname = removecrlf($fname); # Security fix
+ $fmail = removecrlf($fmail);
+ $yname = removecrlf($yname);
+ $ymail = removecrlf($ymail);
+
$result2=sql_query("select title, time, topic from ".$prefix."_stories where sid=$sid", $dbi);
list($title, $time, $topic) = sql_fetch_row($result2, $dbi);
@@ -90,4 +95,4 @@
}
-?>
\ No newline at end of file
+?>
--- html/modules/Recommend_Us/index.php.old Thu Dec 19 20:00:45 2002
+++ html/modules/Recommend_Us/index.php Thu Dec 19 20:02:45 2002
@@ -45,6 +45,9 @@
function SendSite($yname, $ymail, $fname, $fmail) {
global $sitename, $slogan, $nukeurl, $module_name;
+ $fmail = removecrlf($fmail); # Security fix
+ $yname = removecrlf($yname);
+ $ymail = removecrlf($ymail);
$subject = ""._INTSITE." $sitename";
$message = ""._HELLO." $fname:\n\n"._YOURFRIEND." $yname "._OURSITE." $sitename "._INTSENT."\n\n\n"._FSITENAME." $sitename\n$slogan\n"._FSITEURL." $nukeurl\n";
mail($fmail, $subject, $message, "From: \"$yname\" <$ymail>\nX-Mailer: PHP/" . phpversion());
@@ -76,4 +79,4 @@
}
-?>
\ No newline at end of file
+?>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed